<?php
require_once("constants.php");
include("database.php");
class Database
{
   var $connection;
  
   function Database(){
      /* Make connection to database */
      $this->connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error());
      mysql_select_db(DB_NAME, $this->connection) or die(mysql_error());      
   }

   /**
    * confirmUserPass - Checks whether or not the given
    * username is in the database, if so it checks if the
    * given password is the same password in the database
    * for that user. If the user doesn't exist or if the
    * passwords don't match up, it returns an error code
    * (1 or 2). On success it returns 0.
    */
    function confirmUserPass($username, $password){      
      $salty = query_select("
        SELECT salt
        FROM user
        WHERE username = '" . $username . "'"
       );
  
      // If username doesn't exist, go back to login
      if(count($salty) == 0){
        return 2;
      }
      
      $md5_password = md5($salty[0]['salt'] . $password);      
      $safe_md5_password = sql_escape($md5_password);
  
      // Query Database
      $sqluser = "
      SELECT *
      FROM user
      WHERE username = '" . $username . "'
      AND password = '" . $safe_md5_password . "'";
	
      $users = query_select($sqluser);  
      
      if(count($users) == 0){
        // indicates error
        return 2; 
      }
      
      return 0;
    }
   
   /**
    * confirmUserID - Checks whether or not the given
    * username is in the database, if so it checks if the
    * given userid is the same userid in the database
    * for that user. If the user doesn't exist or if the
    * userids don't match up, it returns an error code
    * (1 or 2). On success it returns 0.
    */
   function confirmUserID($username, $userid){
      /* Add slashes if necessary (for query) */
      if(!get_magic_quotes_gpc()) {
	      $username = addslashes($username);
      }
      
      $q = "SELECT id FROM user WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      if(!$result || (mysql_numrows($result) < 1)){
         return 1;
      }
      
      $dbarray = mysql_fetch_array($result);
      $dbarray['id'] = stripslashes($dbarray['id']);
      $userid = stripslashes($userid);

      /* Validate that userid is correct */
      if($userid == $dbarray['id']){
         return 0; 
      }
      else {
        //Indicates userid invalid
         return 2; 
      }
   }
   
   /**
    * usernameTaken - Returns true if the username has
    * been taken by another user, false otherwise.
    */
   function usernameTaken($username){
      if(!get_magic_quotes_gpc()){
         $username = addslashes($username);
      }
      $q = "SELECT username FROM user WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      return (mysql_numrows($result) > 0);
   }
     
   
   /**
    * addNewUser - Inserts the given (username, password, email)
    * info into the database. Appropriate user level is set.
    * Returns true on success, false otherwise.
    */
    function addNewUser($username, $password){ 
      $salt = sql_escape($this->make_string(8));
      $md5pass = md5($salt . $password);
      $table = 'user';	
      $values = array('username' => $username, 'password' => $md5pass, 'salt' => $salt, 'isadmin' => 0, 'hash' => md5($username));       
      $id = query_insert($table, $values);
      
      if ($id == -1) {
        return 0;
      }
      
      return 1;
   }
   
   /**
    * updateUserField - Updates a field, specified by the field
    * parameter, in the user's row of the database.
    */
   function updateUserField($username, $field, $value){
      $q = "UPDATE user SET ".$field." = '$value' WHERE username = '$username'";
      return mysql_query($q, $this->connection);
   }
   
   /**
    * getUserInfo - Returns the result array from a mysql
    * query asking for all information stored regarding
    * the given username. If query fails, NULL is returned.
    */
   function getUserInfo($username){
      $q = "SELECT * FROM user WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      /* Error occurred, return given name by default */
      if(!$result || (mysql_numrows($result) < 1)){
         return NULL;
      }
      
      $dbarray = mysql_fetch_array($result);
      return $dbarray;
   }
  
  /* Used to create salt for login */
  function make_string($length) {
    srand();
  
    $string = "";
  
    for($i = 0; $i < $length; $i++){
      $number = (rand() % (126-32)) + 32;
      $char = chr($number);
      $string .= $char;
    }
  
    return $string;
  }
   
   /**
    * query - Performs the given query on the database and
    * returns the result, which may be false, true or a
    * resource identifier.
    */
   function query($query){
      return mysql_query($query, $this->connection);
   }
    
};

$database = new Database;

?>
